Re: Discretionary WiFi Access

[John Adams <jna+dated+1121217368.5d89bc () retina net>]

On Thu, 7 Jul 2005, Dave Null wrote:

> Its not firewall related, but there's some smart minds on this list.
> My company has started looking into campus-wide WiFi. I'll keep my

The way I see it, you've got three options if you want to run wireless:

1) Open Internet Access, where the APs terminate access outside the 
firewall (or on a seperate leg of the firewall). Corporate users have 
to use a VPN to get into the corp. network. This is what many large 
companies with campus-wide networks do. Pretty easy to implement with 
commercial VPN or Windows VPN solutions.

2) No access to network at all without network authentication (802.1X / 
TTLS / EAP / MSv2CHap or PAP.) No one gets in unless they authenticate, 
and even then, there's different levels of authentication for different 
sections of the network. Hard to implement, but worth it in the end.

3) Same as #2, but you create a 'guest' account for Network Authentication 
with limited access. I don't like this one, and few admins do, but it 
keeps interlopers off your net.

-john


--
J. Adams                                        http://www.retina.net/~jna

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards